Automatic Code Generation of Safety Mechanisms in Model-Driven Development

In order to meet regulatory standards in the domain of safety-critical systems, these systems have to include a set of safety mechanisms depending on the Safety Integrity Level (SIL). This article proposes an approach for how such safety mechanisms may be generated automatically via Model-Driven Development (MDD), thereby improving developer productivity and decreasing the number of bugs that occur during manual implementation. The approach provides a structured way to define safety requirements, which may be parsed automatically and are used for the generation of software-implemented safety mechanisms, as well as the initial configuration of hardware-implemented safety mechanisms. The approach for software-implemented safety mechanisms relies on the Unified Modeling Language (UML) for representing these mechanisms in the model and uses model transformations to realize them in an intermediate model, from which code may be generated with simple 1:1 mappings. The approach for hardware-implemented safety mechanisms builds upon a template-based code snippet repository and a graphical user interface for configuration. The approach is applied to the development of a safety-critical fire detection application and the runtime of the model transformations is evaluated, indicating a linear scalability of the transformation steps. Furthermore, we evaluate the runtime and memory overhead of the generated code.

A Functional Safety Assessment Methodology for Explosion Protection with Application to a Variable Frequency Drive System

Modern explosion protection equipment, protected by traditional explosion protection technology (as defined by the international electrotechnical commission (IEC) publication IEC60079-ff series standards) and electrical/electronic/programmable electronic (E/E/PE) safety-related systems, is becoming ever more complex in coal mine development and petrochemical industry; thus, the possibility of failures in their operation is also growing. It is well-known that E/E/PE safety-related systems can be used to actively control dangerous sources, with real and expected levels of reliability, if they have been qualified according to the IEC61508-ff series standards. To uniformly evaluate the safety integrity level (SIL) of the explosion protection function of traditional explosion protection technology and E/E/PE safety-related system technology, this study analyzed the ability of these types of protection to remove the ignition risk residual, evaluating the failure rates of safety devices. The key objective of this paper is the presentation of a new equipment protection level (EPL) assessment method for explosion protection equipment based on a functional safety assessment. The method is applied to a variable frequency drive (VFD) system, and the results show that the EPL of the explosion protection equipment evaluated by this method is consistent with the EPL corresponding to the traditional explosion protection type of the IEC60079-ff series standard. Meanwhile, the flexible configuration of explosion protection safety devices and E/E/PE safety-related systems enables explosion protection equipment of different EPL levels to be designed.

Functional Safety BMS Design Methodology for Automotive Lithium-Based Batteries

The increasing use of lithium batteries and the necessary integration of battery management systems (BMS) has led international standards to demand functional safety in electromobility applications, with a special focus on electric vehicles. This work covers the complete design of an enhanced automotive BMS with functional safety from the concept phase to verification activities. Firstly, a detailed analysis of the intrinsic hazards of lithium-based batteries is performed. Secondly, a hazard and risk assessment of an automotive lithium-based battery is carried out to address the specific risks deriving from the automotive application and the safety goals to be fulfilled to keep it under control. Safety goals lead to the technical safety requirements for the next hardware design and prototyping of a BMS Slave. Finally, the failure rate of the BMS Slave is assessed to verify the compliance of the developed enhanced BMS Slave with the functional safety Automotive Safety Integrity Level (ASIL) C. This paper contributes the design methodology of a BMS complying with ISO 26262 functional safety standard requirements for automotive lithium-based batteries.

Criticality analysis for safety-critical software in nuclear power plant distributed control system

Software criticality analysis examines the degree of contribution that each individual failure mode of a software component has on the reliability of software. Higher safety integrity levels are assigned to software modules whose failures cause an unacceptable impact on the operation of the system, and these levels require the implementation of more rigorous software quality assurance measures as defined in IEEE Std 1012 and in the customer’s system requirements specification. In this paper, a novel software criticality analysis method is proposed, the results of which can be used to guide the development of newly developed software and the procurement of Commercial-Off-The-Shelf (COTS) software. The software structure is first analyzed and the software is divided into modules according to their functions. Then the criticality levels of software components are preliminarily classified by means of a safety criticality preliminary analysis tree, followed by their verification through the software hazard and operability analysis (HAZOP). Finally, the target Safety Integrity Level (SIL) of each software module is determined based on its criticality level and the overall safety objective (i. e., SIL) of the system it resides in. As an example, this proposed method is applied to a nuclear power plant safety-critical system to demonstrate the detail application process and to verify the feasibility of the method. Compared with the existing software criticality analysis methods, this method has better operability and verifiability, and can be utilized as a technical guidance for the software criticality analysis of nuclear power plant digital control systems.

Mathematical Approaches in Functional Safety Assessment for E/E/PE Safety-Related Software

Safety integrity level (SIL)-based functional safety assessment is widely required in designing safety functions and checking their validity of electrical/electronic/programmable electronic (E/E/PE) safety-related systems after being issued IEC 61508 in 2010. For the hardware of E/E/PE safety-related systems, quantitative functional safety assessment based on target failure measures is needed for deciding or allocating the level of SIL. On the other hand, IEC 61508 does not provide any quantitative safety assessment method for allocating SIL for the software of E/E/PE safety-related systems because the software failure is treated as a systematic failure in IEC 61508. We discuss the needfulness of quantitative safety assessment for software of E/E/PE safety-related systems and propose mathematical fundamentals for conducting quantitative SIL-based safety assessment for the software of E/E/PE safety-related systems by applying the notion of software reliability modeling and assessment technologies. We show numerical examples for explaining how to use our approaches.

A Compiler and Language Support for Designing Mixed-Criticality Applications

Coexistence of software components and functions of different criticality in a single computing platform has challenged the safety community for the past two decades. Despite efforts that have been made so far, dealing with mixed-criticality has still left some room for improvements. One particular concern here is that partitioning of hardware and software resources with regard to criticality (safety related, non-safety related) has direct implications on how safety measures need to be realised. For example, a self-test that must meet certain diagnostic coverage for the microcontroller core by inspecting its instructions, needs to cover only those instructions which are able to affect a safety function. Available software mechanisms and tools are to a certain extent still unable to deal with such a fine-grained selection of resources. In this work, we introduce a compiler extension and language support which enable accurate selection of data based on their criticality. The compiler extension serves to establish detailed traceability between the software code and its representation in runtime memory. With the language support, the individual data elements can be classified based on the desired safety integrity level. As a result, safety measures that operate on data (e.g. Abraham test for SRAM can achieve better coverage. The method has been evaluated and applied to industrial safety controllers. We provide here relevant performance figures and discuss possible applications of the method in other fields.

Collision Risk Evaluation and Verification of GNSS-Based Train Integrity Detection

To meet the demand for middle and low-density railway lines, a Global Navigation Satellite System (GNSS) based on a train integrity monitoring system (TIMS) is used for train integrity detection. Each system has to be analyzed before it is applied in practice. To evaluate the safety of the train integrity detection, a collision risk evaluation method is proposed based on the positioning errors and protection level, in which the Probability of dangerous Failure per Hour (PFH) is computed to quantify the the criteria of Safety Integrity Level (SIL). Then, an experiment-based simulation procedure is presented for safety verification. Statistics results have been obtained from field test data, and simulations are carried out using CPN and MATLAB to verify the collision risk of GNSS-based train integrity detection. The result showed that the GNSS-based train integrity detection satisfies the safety requirements in the system design phase for railway applications.

Application of Software Reliability Model for Safety Assessment of E/E/PE Safety-Related Software

Quantitative and analytical safety assessment methods of E/E/PE safety-related software systems based on the SIL defined by IEC 61508 have been proposed. IEC 61508 does not provide us with quantitative and analytical methods for safety assessment of the software. Our methods give us quantitative information on safety measures for deciding the safety integrity level and testing time duration for achieving certain safety integrity level of E/E/PE software, respectively. Our stochastic modeling approaches are based on software reliability modeling and software reliability assessment techniques. Numerical examples for our methods have been shown for explaining how to use our software safety assessment approaches conforming IEC 61508.